ten rules for cyber security - citizen lab · ten rules for cyber security eneken tikk this article...
TRANSCRIPT
Ten Rules for Cyber SecurityEneken Tikk
This article was !rst published in Survival | vol. 53 no. 3 | June-July 2011 | pp. 119-132
!"#$%&'#%()*&")+,"+)-.'/*%0&'*%1'$%2#%-'3-1#*'#%'4556.'"7-'82$/*2'9-),-9"#$%'$(',:/-)'"7)-*"&'7*&'1)*&"#,*22:',7*%8-1;<'=$2#"#,*22:'*%1'#1-$2$8#,*22:'3$"#!
&-,+)#":'->9-)"&'*%1'7*?-' &7$@%' "7-)-' #&' *'9)#,-' "$'9*:' ($)'*%'*1?*%,-1'
@$)3'"*)8-"#%8'A#,)$&$("'B#%1$@&.'1-"-,"-1'#%'455CD'*%1'E"+>%-"'F*'@$)3'"*)8-"#%8'"7-'G)*%#*%'%+,2-*)'9)$8)*33-D'&7$@'"7*"',:/-)',)#3-',$%"#%+-&'"$'#%,)-*&-'#%'&$97#&"#,*"#$%;4
H-($)-' "7-' I&"$%#*%' #%,#1-%".' $)8*%#&*"#$%&' "-%1-1' "$' ")-*"' "7-#)' )#&0&'*%1'*))*%8-3-%"&'#%'#&$2*"#$%;'J:/-)'&-,+)#":'@*&'3-)-2:'"7-'&+3'$('#%1#!
,$$)1#%*"#$%'$('1-(-%,-&'->#&"-1'#%?$2?-1'1-?-2$9#%8'+%#($)3'*%1'&"*%1!*)1'&$2+"#$%&')*"7-)'"7*%'92*%&'$)',*9*/#2#"#-&'($)',$$)1#%*"-1'*,"#$%;'E#%,-'4556.'7$@-?-).'"7-'K%#"-1'L*"#$%&.'LMNO.'"7-'I+)$9-*%'K%#$%.'OEJI'*%1'$"7-)'#%"-)%*"#$%*2'$)8*%#&*"#$%&'7*?-'#%")$1+,-1'%-@',:/-)!&-,+)#":'9$2#!,#-&'$)')-?#&-1'->#&"#%8'$%-&;'N7-',$%,-9"'$(',:/-)',)#3-'7*&'/--%'->9*%1-1P'I&"$%#*.'($)'->*392-.'*3-%1-1'#"&'9-%*2',$1-'"$',)#3#%*2#&-',$39+"-)',)#3-'*8*#%&"',)#"#,*2'#%($)3*"#$%'#%()*&")+,"+)-'*&'@-22'*&',:/-)'"-))$)#&3;Q
O"7-)' *)-*&' $(' 9$2#,:' *%1' 2*@.' /-:$%1' ,:/-)' ,)#3-.' *2&$' %--1' "$' /-'!
Eneken Tikk is Legal Adviser at the NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.
Eneken Tikk, Ten Rules for Cyber Security
!"#$%&'(#)'#( #*)( +$,$#'(%-( #*)().$'#$&/( +)/"+( -0",)1%02(-%0(3"#"(40%#)!#$%&5()+)!#0%&$!( !%,,6&$!"#$%&'( "&3( "!!)''( #%( 467+$!( $&-%0,"#$%&8( 9%0)%:)05(&"#$%&'("0)("+0)"3;(3):)+%4$&/(!;7)0<1"0-"0)(!"4"7$+$#$)'8(=*)('4)!#06,(%-(
4"#!*$&/( '%-#1"0)5( -%0( ).",4+)>( #%( 70)"!*)'( %-( +)/"+( %7+$/"#$%&'( ?'6!*( "'(&%#( 0)4%0#$&/( $++)/"+( "!#$:$#;>( #%( !0$,)( #%(&"#$%&"+<')!60$#;( #*0)"#'( #%(%6#<
0)+"#$&/(#%(!;7)0(')!60$#;(0"&/)(-0%,(#*)('%-#(?'#"&3"03'("&3(7)'#(40"!#$!)'>(#%(%0/"&$'"#$%&"+( ?!%�"!#'( "&3( $&#)0&"+( 0)/6+"#$%&'>( #%(&"#$%&"+( #%( $&#)0<&"#$%&"+("/0)),)&#'("&3(!6'#%,"0;(+"15(1*$!*($&-%0,(#*)(-%60(2);(+)/"+(
"0)"'( #*)( +"1( %-( &)#1%02( "&3( $&-%0,"#$%&( ')!60$#;(?"+'%(0)-)00)3(#%("'(!;7)0( +"1(%0( $&-%0,"#$%&<'%!$)#;(+"1>5( 3)"+$&/( 1$#*5( -%0( ).",4+)5( 3"#"( 40%#)!#$%&5()<!%,,)0!)5( )+)!#0%&$!( !%,,6&$!"#$%&'( "&3( "!!)''(
<#$%&5(!%%4)0"#$%&>@(&"#$%&"+<')!60$#;(+"1("&3(4%''$7+)(0)'#0$!#$%&'( #%( *6,"&( 0$/*#'( "&3( +$7)0#$)'( 0)'6+#$&/(
A(=*)('4)!<
%-(+)/"+(-0",)1%02'("&3(0),)3$)'8(B%&#),4%0"0;( !;7)0( #*0)"#'( !"&( %&+;( 7)( !%&-0%&#)3( 7;( !%,7$&$&/(
#*)(0)/6+"#$%&5(0),)3$)'("&3(+)/"+(40"!#$!)(#*)')(-%60(2);("0)"'(%-(+"18(=)&(06+)'(-%!6')3(%&($''6)'("&3(1%02$&/('%+6#$%&'("0$'$&/(-0%,(3$'!6'<'$%&'(",%&/().4)0#'(%0($&(#*)(!%60')(%-(!;7)0<$&!$3)&#(*"&3+$&/(!"&(7)(
C
/)&)0"+5("&3(*$/*+$/*#( #*)(3$'4"0$#;(7)#1))&(+)/"+( #*)%0;("&3(40"!#$!)8(=*)(06+)'("0)($&#)&3)3(#%(-%!6'($&#)0&"#$%&"+(3)7"#)(%&(#*)(D6"+$#;("&3($&#)040)#"#$%&(%-().$'#$&/(+"1(0"#*)0(#*"&(#*)(&))3(-%0(&)1(+)/"+(-0",)<
4%+$#$!"+( %0( #)!*&$!"+( "'4)!#'( "&3( &))3( #%( 7)( !%&'$3)0)3( -0%,( #*)( 4)0<'4)!#$:)(%-(!%&'#06!#$:)('%+6#$%&'8(E):)0"+( $''6)'('))&("'(!*"++)&/)'(-%0(&)1(+)/$'+"#$%&5(-%0().",4+)(3"#"(40%#)!#$%&(%0(F&#)0&)#(')0:$!)<40%:$3)0(
Cyber attacks test the limits of existing law
!"#$%& '()*('(+,-& .)/-& 01231432-& *3& 51'436& +721897& (/+32:23+)+(1/& 1;& 12&
5(0:'3&3<.3:+(1/5&;210&3<(5+(/9&'39)'&.1/5+28.+5&(/5+3)6&1;&)&=71'',&/3=&
'39)'&)::21).7>&
The Territoriality Rule
"/;120)+(1/& (/;2)5+28.+823& '1.)+36&=(+7(/&)& 5+)+3?5& +322(+12,& (5& 58*@3.+& +1&
+7)+&5+)+3?5&+322(+12()'&514323(9/+,>&
"/&4(3=&1;&+73&9'1*)'&/)+823&1;&.,*32&+723)+5-&+7323&(5&1/A91(/9&63*)+3&1432&
=73+732&+322(+12()'(+,A*)536&'39)'&;2)03=12B5&.)/&.1:3-&*8+&+73&'3551/5&1;&
C5+1/()-&D3129()&)/6&1+732&0)@12&.,*32&(/.(63/+5&571=&+7)+&/)+(1/5&.)/&)/6&
A
.1008/(.)+(1/5-& .2(0(/)'& 5)/.+(1/5-& (/435+(9)+(43& )8+712(+,-& .11:32)+(1/&
=(+7& "#$5& )/6&0)/,&1+732& 3553/+()'& 3'303/+5& 1;& 58..355;8'& .,*32&63;3/53&
63:3/6&1/&+73&E8)'(+,&1;&+73&/)+(1/)'&')=>&F/+('&+73&1:+(1/5&;12&(0:'303/A
+)+(1/&)/6&(/+32:23+)+(1/&1;&/)+(1/)'&'39)'&(/5+2803/+5&)23&3<7)85+36-&(+& (5&
(/+32/)+(1/)'&'343'>
(5&58*@3.+&+1&+73&514323(9/&:23219)+(435&1;&+7)+&5+)+3>&C432,&91432/03/+&
+322(+12,-& ;12& 3<)0:'3& *,& 3/582(/9& +73& )4)(')*('(+,& )/6&E8)'(+,& 1;& '195-&
0)(/+)(/(/9&)/&14324(3=&1;&+73&:214(6325&1;&3'3.+21/(.&.1008/(.)+(1/5-&
6343'1:(/9&)/&8/6325+)/6(/9&1;&+723)+5&)/6&.):)*('(+(35&3<(5+(/9&=(+7(/&
(+5& @82(56(.+(1/& +1& .1:3&=(+7& )/6&0)/)93& (/.(63/+5-& )/6& *)')/.(/9& +73&
6343'1:03/+& 1;& +73& (/;120)+(1/& 51.(3+,& =(+7& +73& (/+3235+5& 1;& /)+(1/)'&
53.82(+,>
G73&+322(+12()'(+,&:2(/.(:'3&30:1=325&/)+(1/5&+1&(0:153&+73(2&514323(9/+,&
1/& (/;120)+(1/& (/;2)5+28.+823& '1.)+36& =(+7(/& +73(2& +322(+12,& 12& 1+732=(53&
58*@3.+&+1&+73(2&@82(56(.+(1/>&G73&235:1/5(*('(+,&1;&)&5+)+3&;12&53.82(/9&(+5&1=/&
/3+=12B5& (5&58::12+36&*,&+73& (/+32/)+(1/)'',&23.19/(536&.1/.3:+5&1;&/1/A
(/+3243/+(1/&)/6&514323(9/+,>H&
Eneken Tikk, Ten Rules for Cyber Security
The Responsibility Rule
!"#"$%&
'(&#&)*+$,&-.$,#"/-0&1#!&+$$0&2#30)1$4&-,&-"1$,5/!$&-,/6/0#"$4&(,-7&6-8$,09
/0&:3$!"/-0&/!&#!!-)/#"$4&5/"1&"1$&-.$,#"/-0%&;#"/-0!&"1$,$(-,$&0$$4&"-&)-09
#)"/8/"/$!&"1#"&7#<$&3!$&-(&"1$/,&/0(-,7#"/-0&/0(,#!",3)"3,$%&=1$*&5/22&(#)$&.3+2/)&)-04$70#"/-0&5/22&+$&$>.$)"$4&"-&,$!.-04&#!!/!"&5/"1&/08$!9
-,&#+-3"&"1$&.$,.$",#"-,!?&7$"1-4!&"--2!&/08-28$4?&$8$0&#)"/8$&2#59
,$#!-0#+2*&+$&$>.$)"$4&(,-7&"1$!)-30",/$!&51-!$& /0(,#!",3)"3,$&1#!&+$$0&/08-28$4%&
),/"/)/#2& @!"-0/#0& 6-8$,07$0"& #04& .,/8#"$& /0(,#!",3)"3,$& 0$"5-,<!%& =1/!&
9A&B1/0#&
"1$&C0/"$4&D"#"$!E&-"1$,&0#"/-0!E&/0(-,7#"/-0&!*!"$7!%F&B-30",/$!&7#*!-&+$&$>.$)"$4&"-&,#/!$&"1$/,&-50&2$8$2!&-(&)*+$,&!$)39
,/"*& +*& $!"#+2/!1/06& !",-06$,& )-0",-2& -8$,& "1$&3!$& #04& $>.2-/"#"/-0& -(& "1$&/0(-,7#"/-0& /0(,#!",3)"3,$& 304$,& "1$/,& G3,/!4/)"/-0"& =1$& +#2#0)$& +$"5$$0&$)-0-7/)&!$)3,/"*&/0"$,$!"!&5/22?&-(&)-3,!$?&0$$4&"-&+$&!",3)<&-0&#&)#!$9+*9)#!$&+#!/!%
-,6#0/!/06?& ",#/0/06?& !3..2*/06& #04& $:3/../06& #!&5$22& #!& "1$& !$2$)"/-0&-(&"#,6$"!&"1$&.2#00/06&-(&"1$&51-2$&-(�&-.$,#"/-0H&/!&0-"&$0-361&"-&7$$"&
Eneken Tikk, Ten Rules for Cyber Security
!"#$!"%#&"'()*+$,-$!"#$.//0$12)34$42$3!$62&$4'-4(7)#)$!"2!$'8#%2(($4'-!%'($
9
3:2!3'-$3-$!"#$:(2--3-;$2-)$&7:#%83&3'-$'<$=3(3!2%>$':#%2!3'-&*?/$@'-&!%74!&$
A-'6-$3-$3-!#%-2!3'-2($#-83%'-=#-!2($(26*
The Cooperation Rule
('42!#)$ 3-$2$&!2!#B&$ !#%%3!'%>$4%#2!#&$2$)7!>$ !'$4'':#%2!#$63!"$ !"#$834!3=$
&!2!#*$
1"#$3-!#%4'--#4!#)-#&&$'<$;('C2($3-<'%=2!3'-$3-<%2&!%74!7%#$=2A#&$3!$3=:'&9
6#(($ 2&$ C#!6##-$ -2!3'-2($ ;'8#%-=#-!&$ 2-)$ 3-!#%-2!3'-2($ '%;2-3&2!3'-&*$
@%'&&9)3&43:(3-2%>$4'':#%2!3'-$C#!6##-$(#;2(5$:'(34>5$=3(3!2%>$2-)$!#4"-342($
#D:#%!&$3&$2(&'$-#4#&&2%>*
E"3(#$ !"#$ 82&!$ =2F'%3!>$ '<$ 3-<'%=2!3'-$ 3-<%2&!%74!7%#$ 3&$ :%382!#(>$
9
=2!3'-$ &#%834#&$ 2-)$ -#!6'%A&$ !"2!$ !"#$ :%382!#$ !'%$ &7::'%!&$ '-$ 2$
4'-!%24!72($C2&3&*$@'':#%2!3'-$=2>$!2A#$!"#$<'%=$'<$4'-&7(!3-;5$3-<'%=29
!3'-$#D4"2-;#$2-)$%#2(('42!3'-$'<$%#&'7%4#&5$2&$6#(($2&$&7::'%!3-;$&#%834#&$
:2%!-#%&"3:&$2&$6#(($2&$4'2(3!3'-$2;%##=#-!&$63(($&7::'%!$!"#$(#;2($<%2=#9
6'%A$<'%$4'':#%2!3'-*$1"#$@>C#%$@%3=#$@'-8#-!3'-$3-83!#&$!"#$:2%!3#&$!'$
4'':#%2!#$ !"%'7;"$ !"#$ 2::(342!3'-$ '<$ %#(#82-!$ 3-!#%-2!3'-2($ 3-&!%7=#-!&$
'-$ !"#$ C2&3&$ '<$ 7-3<'%=$'%$ %#43:%'42($ (#;3&(2!3'-5$ 2-)$)'=#&!34$ (26&5$ !'$
!"#$63)#&!$#D!#-!$:'&&3C(#$<'%$!"#$:7%:'&#&$'<$3-8#&!3;2!3'-&$'%$:%'4##)9
??$
1"#$4'':#%2!3'-$:%3-43:(#$42-$2(&'$C#$<'7-)$3-$!"#$G'%!"$H!(2-!34$1%#2!>5$
Eneken Tikk, Ten Rules for Cyber Security
!"#$#%&'("#')*$(+#,'!+--'./0,1-('(/2#("#$'!"#0#3#$4'+0'("#'/)+0+/0'/5'*0&'
/5'("#64'("#'(#$$+(/$+*-'+0(#2$+(&4')/-+(+.*-'+07#)#07#0.#'/$',#.1$+(&'/5'*0&'
/5'("#')*$(+#,'+,'("$#*(#0#789:
The Self-Defence Rule
;3#$&/0#'"*,'("#'$+2"('(/',#-5<7#5#0.#8'
="#'./0.#)('/5',#-5<7#5#0.#'+,')*$('/5'%/("'.$+6+0*-'*07'+0(#$0*(+/0*-'-*!8'>0'
)$+0.+)-#4'#3#$&/0#'"*,'("#'$+2"('(/',#-5<7#5#0.#4',1%?#.('(/'("#')$/)/$(+/0*-<
+(&'*07'0#.#,,+(&'/5',1."'*.(+/08
>0' .$+6+0*-' -*!4' +5' 3+.(+6' $#*,/0*%-&' %#-+#3#,' ("*(' 10-*!51-' 5/$.#' +,'
*%/1('(/'%#'1,#7'*2*+0,('"+64'("#$#'+,'0/'-+*%+-+(&'5/$'!"*('!/1-7'/("#$<
!+,#' %#' !$/0251-' *.(,' +0' ,#-5<7#5#0.#8' ="+,' +,' 0/(' ,*&' ("*(' #3#$&' .&%#$'
-*,('$#,/$(8
@0'("#'+0(#$0*(+/0*-'-#3#-4'("#'.$+(#$+*'5/$'+03/A+02'+07+3+71*-'*07'./-<
-#.(+3#',#-5<7#5#0.#'*$#'%*,#7'/0'.1,(/64'("#'BC'."*$(#$'*07'+0(#$0*(+/0*-'
%&'+0(#$0*(+/0*-')*$(0#$,'D("#'C/$("'E(-*0(+.'F/10.+-'+03/A+02'E$(+.-#'G'/5'
*2*+0,(' /0#'/$'6/$#'/5' ("#')*$(+#,' +0';1$/)#'/$'C/$("'E6#$+.*' ,"*--' %#'
#*."'/5'("#64'+0'#H#$.+,#'/5'("#'$+2"('/5'+07+3+71*-'/$'./--#.(+3#',#-5<7#5#0.#'
$#./20+,#7'%&'E$(+.-#'I9'/5'("#'BC'F"*$(#$4'!+--'*,,+,('("#')*$(&'/$')*$(+#,'
9J
Eneken Tikk, Ten Rules for Cyber Security
The Data Protection Rule
!"#$%&'()$"* )"#%'+(%,-(,%.* &$")($%)"/* 0'('* '%.* 1.%-.)2.0* '+* 1.%+$"'3*
,"3.++*1%$2)0.0*#$%*$(4.%5)+.*6(4.*1%.2'3."(*)"(.%1%.('()$"*)"*(4.*789:
;4.*"..0*#$%*".(5$%<*&$")($%)"/*'"0*)"#$%&'()$"*.=-4'"/.*4'+*($*>.*-'%.#,33?*
'++.++.0*'/')"+(*)"0)2)0,'3+@*%)/4(*($*1%)2'-?:*;4.%.*)+*-,%%."(3?*'*-$"+)0.%'>3.*
0)2)0.*>.(5.."*(4.*3./'3*'"0*(.-4")-'3*'11%$'-4.+*($*0'('*'"0*(4.)%*+.-,%)(?:AB*
C4)3.*(4.*&$")($%)"/*$#*".(5$%<*0'('*+..&+*($*>.*5.33D.+('>3)+4.0*'"0*%$,()".*
./'3*.=1.%(+:
E--$%0)"/*($*(4.*78*F'('*G%$(.-()$"*F)%.-()2.HAI*'"?*)"#$%&'()$"*%.3'()"/*
;4.*1%.2'3."(*$1)")$"* )"* (4.*-$,"(%).+* )&13.&."()"/* (4.*0)%.-()2.* )+* (4'(*
!G*'00%.++.+*'%.*1.%+$"'3*0'('*'"0*+,>J.-(*($*1%$-.++)"/*%.+(%)-()$"+*,"0.%*
"'()$"'3*3./)+3'()$":AK*L,-4*%.+(%)-()$"+*)"-3,0.*%.M,)%)"/*(4.*-$"+."(*$#*(4.*
0'('* +,>J.-(* #$%* 1%$-.++)"/* (4.+.* 0'('H* 1%$4)>)()$"+* $"* (%'"+#.%%)"/* (4.+.*
0'('* ($* (4)%0* -$,"(%).+H* '"0*1$(."()'3* )"'0&)++)>)3)(?* '+* .2)0."-.*$#* +,-4*
0'('*$>(')".0*)"*'"*,"3'5#,3*&'"".%:*E--$%0)"/*($*(4.*78*F'('*G%$(.-()$"*
F)%.-()2.H* (4.* (%'"+#.%* ($*'* (4)%0*-$,"(%?*$#*1.%+$"'3*0'('*&'?* ('<.*13'-.*
$"3?*)#*(4.*(4)%0*-$,"(%?*."+,%.+*'"*'0.M,'(.*3.2.3*$#*1%$(.-()$":AN
!>,(*(4.*0)%.-()2.*'33$5+*#$%*.=-.1()$"+*)"*
(4.*1,>3)-*)"(.%.+(*'"0*#$%*"'()$"'3*+.-,%)(?:*;4.%.*'%.*'3+$*.=-.1()$"+*#$%*
-%)&)"'3*1%$-..0)"/+:*O3.'%3?*)0."()#?)"/*(4.*"..0*#$%*'"0*&.(4$0+*$#*0'('*
'"0*1'-<.(*)"+1.-()$"*5)33*4.31*.+('>3)+4*(4.*%)/4(*>'3'"-.*>.(5.."*1%)2'-?*
'"0*&$")($%)"/:
The Duty of Care Rule
72.%?$".*4'+*(4.*%.+1$"+)>)3)(?*($*)&13.&."(*'*%.'+$"'>3.*3.2.3*$#*+.-,%)(?*
)"*(4.)%*)"#$%&'()$"*)"#%'+(%,-(,%.:*
;4.*-$"-.1(*$#*0,(?*$#*-'%.*)+*5.33*.+('>3)+4.0*)"*&'"?*'%.'+*$#*3'5P*'"*)"0)D
2)0,'3*)+*,"0.%*$>3)/'()$"*($*/,'%'"(..*(4.*1%$(.-()$"*$#*1.%+$"'3*0'('*4.*
Eneken Tikk, Ten Rules for Cyber Security
!"#$%&&%&'()*+(+,%-+./.0%*$%(+,1.%&()".&%(2"#3(14%(/%0)/(2")3%5#"6(#2(+)1)(
!"#1%$1.#*'(.*2#"3)1.#*-&#$.%17(&%"8.$%&'($#*&,3%"(!"#1%$1.#*()*+(&#(#*9
:*+%"( 14%( ;:( <)1)( ="#1%$1.#*( <."%$1.8%'( 2#"( %>)3!/%'( )( $#*1"#//%"( #2(
!%"&#*)/( +)1)( 3,&1( .3!/%3%*1( )!!"#!".)1%( 1%$4*.$)/( )*+( #"0)*.&)1.#*)/(
3%)&,"%&(1#(!"#1%$1(&,$4(+)1)()0).*&1()$$.+%*1)/(#"(,*/)52,/(+%&1",$1.#*(#"(
)$$.+%*1)/( /#&&'()/1%")1.#*'(,*),14#".&%+(+.&$/#&,"%(#"()$$%&&'( .*(!)"1.$,/)"(
54%"%(14%(!"#$%&&.*0(.*8#/8%&(14%(1")*&3.&&.#*(#2(+)1)(#8%"()(*%15#"6'()*+(
)0).*&1()//(#14%"(,*/)52,/(2#"3&(#2(!"#$%&&.*09(?,$4(3%)&,"%&(&4)//(%*&,"%(
)(/%8%/(#2(&%$,".17()!!"#!".)1%(1#(14%(".&6&("%!"%&%*1%+(@7(14%(!"#$%&&.*0()*+(
14%(*)1,"%(#2(14%(+)1)(1#(@%(!"#1%$1%+'(1)6.*0(.*1#()$$#,*1(14%(&1)1%(#2(14%()"1(
)*+(14%($#&1&(#2(.3!/%3%*1)1.#*9
2#"( 14%( ="#1%$1.#*( #2( A*+.8.+,)/&(5.14( "%0)"+( 1#(B,1#3)1.$( ="#$%&&.*0( #2(
=%"&#*)/(<)1)( CDEFDG9(B"1.$/%( H( "%I,."%&( )!!"#!".)1%( &%$,".17(3%)&,"%&( 1#(
)0).*&1()$$.+%*1)/(#"(,*),14#".&%+(+%&1",$1.#*(#"()$$.+%*1)/(/#&&()&(5%//()&(
)0).*&1(,*),14#".&%+()$$%&&'()/1%")1.#*(#"(+.&&%3.*)1.#*9
B&($7@%"(14"%)1&(5.14(!#/.1.$)/(+.3%*&.#*&!@%$#3%(3#"%(!"%8)/%*1'(14%(
+,17(#2($)"%($#*$%!1($)*(@%(%>1%*+%+(1#(+%8%/#!(&%$,".17(&1)*+)"+&(2#"($".1.-
$)/( .*2#"3)1.#*( .*2")&1",$1,"%( )*+( 0#8%"*3%*1)/( #"(3./.1)"7( .*2#"3)1.#*(
&%"8.$%&9
The Early Warning Rule
J4%"%(.&()*(#@/.0)1.#*(1#(*#1.27(!#1%*1.)/(8.$1.3&()@#,1(6*#5*'(,!$#3.*0(
A*(KLLF'(MLL(N.14,)*.)*(5%@&.1%&(5%"%(+%2)$%+(5.14(14%(4)33%"()*+(&.$6/%(
&73@#/()21%"(14%(N.14,)*.)*(=)"/.)3%*1(!)&&%+()(/)5(@)**.*0(C)3#*0(#14%"(
"!4)8.*0(-
1#3%"&()*+(.*2#"3%+(14%3()@#,1(14%(.*$.+%*19DF(A2(.3!/%3%*1%+(5.+%/7'(14.&(
)!!"#)$4($#,/+($#*&.+%")@/7(.3!"#8%($7@%"(&%$,".179
Eneken Tikk, Ten Rules for Cyber Security
!"#$%&'($("&($)*+#,-.#-(&/$&)#-'0#1$2#,#$)0+#-$&3+&-'#$2&,-0-)$*%$("#$
4
#,-.#-(&/$0-%*,.&(0*-$0-%,&1(,5'(5,#$&-3$("#$-##3$%*,$&$-*-4301',0.0-&(*,6$
35(6$ (*$ 0-%*,.$7*("$857/0'4$&-3$8,0+&(#41#'(*,$ 9:;1$&-3$2#7$"*1(1$&7*5($
<-*2-$(",#&(1=
*,$'*-(,&'(1=$>*,$?0("5&-0&$&1$2#//$&1$*("#,$@5,*8#&-$A-0*-$.#.7#,1B$("#$
*7/0)&(0*-1$*%$1#,+0'#$8,*+03#,1$(*$#-15,#$1#'5,0(6$*%$1#,+0'#1$3#,0+#$%,*.$
("#$#;,0+&'6$C0,#'(0+#$@DEFGGFEHI=JK$!"01$30,#'(0+#$0-+*<#1$&$)#-#,&/$*7/0)&4
(0*-$(*$(&<#$&88,*8,0&(#$(#'"-0'&/$&-3$*,)&-01&(0*-&/$.#&15,#1$(*$1&%#)5&,3$
("#$1#'5,0(6$*%$&$8,*+03#,L1$1#,+0'#1=$9%$-#'#11&,6B$("#$1#,+0'#$8,*+03#,$.51($
'**,30-&(#$ %5,("#,$ &'(0*-$20("$ ("#$ 8,*+03#,$ *%$ &$ 857/0'$ '*..5-0'&(0*-1$
-#(2*,<$ (*$ 2"0'"$ 0($ '*--#'(1=$ M''*,30-)$ (*$ ("#$ @4D*..#,'#$ C0,#'(0+#B$
.#.7#,$ 1(&(#1$ .&6$ #1(&7/01"$ *7/0)&(0*-1$ %*,$ 0-%*,.&(0*-41*'0#(6$ 1#,+0'#$
8,*+03#,1$8,*.8(/6$(*$0-%*,.$("#$'*.8#(#-($857/0'$&5("*,0(0#1$*%$&//#)#3$
0//#)&/$&'(0+0(0#1=FG
The Access to Information Rule
!"#$857/0'$"&1$&$,0)"($(*$7#$0-%*,.#3$&7*5($(",#&(1$(*$("#0,$/0%#B$1#'5,0(6$
&-3$2#//47#0-)=$
!"#,#$ 01$&$ 1(,*-)$ (,#-3$ 0-$@5,*8#$ (*2&,31$ (,&-18&,#-'6$*%$)*+#,-.#-(&/$
&'(1$&-3$,#'*,31B$)0+0-)$("#$857/0'$("#$,0)"($(*$7#$0-%*,.#3$&7*5($(",#&(1$
&-3$3#'010*-1$,#/&(#3$(*$("#0,$/0%#$&-3$2#//47#0-)=$M$"*/3#,$*%$0-%*,.&(0*-$
01$,#N50,#3$(*$301'/*1#$#O01(0-)$0-%*,.&(0*-$(*$3&-)#,$(*$("#$/0%#B$"#&/("$&-3$
8,*8#,(6$*%$8#,1*-1=FJ
!"#$ 8,#15.8(0*-$ 01$ ("&($ 857/0'41#'(*,$ 0-%*,.&(0*-$ 1"*5/3$ 7#$ 857/0'/6$
&''#1107/#$5-/#11$ ("#,#$&,#$'*.8#//0-)$,#&1*-1$*("#,201#=$P"0/#$&''#11$ (*$
&2&,#-#11$&7*5($'67#,$1#'5,0(6B$0($.&6$&/1*$,#15/($0-$5-2&-(#3$857/0'0(6=
&)&0-1($("#.B$&-3$("#0,$,#15/(1B$.0)"($,#35'#$(,51($0-$("#0,$7510-#11$.*3#/$
Eneken Tikk, Ten Rules for Cyber Security
!"#$%&'$()*'$&+),-*./#*!%&!"&0).1&*%"!'2/#*!%3&4&,/-/%.$&%$$50&#!&,$&0#').6&,$#7$$%& #1$0$&+),-*.&/%5&+'*8/#$90$.#!'& *%#$'$0#03&:+$%&5*0.)00*!%&!"& #1$&
9
;1$& -$</-& "'/2$7!'6& "!'& /..$00& #!& *%"!'2/#*!%& 7*--& ,$& /%& *2+!'#/%#&/0+$.#& !"& .=,$'& 0$.)'*#=& *%& #1$& .!%#$>#& !"& 0#'/#$<*.& .!22)%*./#*!%& /%5&+),-*.&/7/'$%$003
The Criminality Rule
?8$'=& %/#*!%& 1/0& #1$& '$0+!%0*,*-*#=& #!& *%.-)5$& #1$&2!0#& .!22!%& .=,$'&
;1$&.'*2*%/-*#=&')-$&*0&/&'$2*%5$'&'/#1$'/%&0!2$#1*%<&()/-*#/#*8$-=&%$73&9
@#& *0& #1$'$"!'$&+'/.#*./--=& *2+!00*,-$& "!'& #1$& 0#/#$& #!& 0/%.#*!%& 0!2$!%$&9
.=,$'&.'*2$3;1$& A*#1)/%*/%& ./0$& 01!7$5& #1/#& '/%5!2& +'*8/#$90$.#!'& #/'<$#0& ./%&
01!7$5/#B&*%&/&.!)%#'=&7*#1&/&'/#1$'&-!7&'/#$&!"&.=,$'&.'*2$B&+!-*#*./--=&
5*0')+#&.!22)%*./#*!%0&7*#1*%&/%5&7*#1$&<!8$'%2$%#&/%5&-$/8$&%/#*!%/-&
*%8$0#*</#!'=&+!7$'03&;1$&C$!'<*/%&./0$&01!7$5&1!7&0$/2-$00&.!%%$.#*!%0&,$#7$$%&+/#'*!#*.&1/.6$'0&/%5&/&<!8$'%2$%#&.!%5).#*%<&6*%$#*.&7/'"/'$&./%&
?>*0#*%<& *%#$'%/#*!%/-& /<'$$2$%#0B& 0).1& /0& #1$& D!)%.*-& !"& ?)'!+$&D!%8$%#*!%&!%&D=,$'.'*2$BEE&/'$&/&<!!5&0#/'#*%<&+!*%#&"!'&$%1/%.*%<&/%5&1/'2!%*0*%<&%/#*!%/-&-$</-&'$0+!%0$0&#!&.=,$'&.'*2$3&?/.1&+/'#=&2)0#&/5!+#&
Eneken Tikk, Ten Rules for Cyber Security
!"#$% &'()!&*+),'% *-.% /+$'0%1'*!"0'!% *!%1*2% 3'% -'#'!!*02% +/% '!+*3&)!$% *!%
*##'!!%+/%+$'%4$/&'%/0%*-2%5*0+%/6%*%#/15"+'0%!2!+'1%4)+$/"+%0)($+789
The Mandate Rule
:-%/0(*-)!*+)/-;!%#*5*#)+2%+/%*#+%<*-.%0'("&*+'=%.'0),'!%60/1%)+!%1*-.*+'7%
0'*&1%/6%.','&/5)-(%-'4%/0%0',)!)-(%'>)!+)-(%#23'0?!'#"0)+2%*('-.*!7
:-*&2!)!%/6%'>)!+)-(%&'(*&%*-.%5/&)#2%)-!+0"1'-+!%0'&*+'.%+/%#23'0%!'#"?
0)+2%0','*&!%/,'0&*5!%*-.%(*5!%)-%)-+'0-*+)/-*&%#//0.)-*+)/-78@%A/0%'>*15&'B%
)-+'0-*+)/-*&% #23'0?#0)1'% $*01/-)!*+)/-% $*!% 3''-% *% 6/#"!% /6% *+% &'*!+% !)>%
1*C/0% )-+'0-*+)/-*&% /0(*-)!*+)/-!7% A/0% !+*+'!% 5*0+2% +/% *% -"13'0% /6% !"#$%
/0(*-)!*+)/-!B%+$)!%0*)!'!%+$'%D"'!+)/-%/6%+$'%*550/50)*+'%)-5"+%/6%'*#$%+/%*%
-*+)/-*&%#23'0?!'#"0)+2%60*1'4/0E7
F/%C"!+)62%(/,'0-1'-+*&%)-,'!+1'-+!%)-%+$')0%#23'0%#*5*3)&)+)'!B%)-+'0-*?
1'#$*-)!1!%6/0%#/&&'#+),'%!'&6?.'6'-#'B%)+%!+)&&%-''.!%*-%60*1'4/0E%6/0%$*-?
+*0('+'.% *(*)-!+% +$'% /0(*-)!*+)/-% )+!'&6% /0% *-% )-.),)."*&% 1'13'0% !+*+'!7%
*-.%*!%(/,'0-1'-+*&%)-6/01*+)/-%)-60*!+0"#+"0'%3'#/1'!%*%1/0'%60'D"'-+%
+*0('+B% .','&/5)-(% -*+)/-*&% *-.% )-+'0-*+)/-*&% #*5*3)&)+)'!%4)&&% 3'#/1'% *-%
)-,'!+1'-+%)!!"'7%G:FH;!%-)#$'%#/"&.%3'%(*+$'0)-(B%'>#$*-()-(%*-.%.','&?
#/-!'D"'-#'!%/0%)!!"'!%/6%#//5'0*+),'%.'6'-!'%*-.%!'#"0)+27
* * *
F$'!'% +'-% 0"&'!% /"+&)-'% E'2% #/-#'5+!% *-.% *0'*!% +$*+%1"!+% 3'% )-#&".'.%/0%
*..0'!!'.% )-%*%#/150'$'-!),'% &'(*&%*550/*#$% +/%#23'0%!'#"0)+27%F$'2%*0'%
Eneken Tikk, Ten Rules for Cyber Security
!"#$"%$%& #'& ()!*$& )+)($"$**& ),'-#& $.!*#!"/& 0$/)0& 1'230!1)#!'"*& !"4'045!"/&16,$(&*$1-(!#6&)"%$&+)6*&#'&'4$(1'2$$28&#'&*$(4$&)*&)&9'1-*&9'(&%$,)#$&)"%&1''(%!")#!'"&+!#7!"&)"%&)1('**&%!*1!30!"$*8&)"%&#'&!"9'(2&+$005/('-"%$%&3('3'*)0*&9'(&)%%!#!'")0&0$/!*0)#!'"&'"$&!"#$(")#!'")0&0$4$0:&
Notes;&
#7$&0$/)0&1'"*!%$()#!'"*&!"4'04$%8&*$$&<"$=$"&>!==8&?)%(!&?)*=)&)"%&@!!*&A!7-08&!"#$%"&#'("&)*+,-$%*!".'/$"#01*2$3&)*+("0'/$%&#'("0&B>)00!""C&DDE&DF<&G-,0!*7!"/8&HI;IJ:&
H&+++:%)2,)00):1'2K($*$)(17K
32+!=!:373KL)!"KM'2$G)/$N&9'(&&O#-."$#&*$$&P!1'0)*&Q)00!$($8&@!)2&F&L-(17-&)"%&<(!1&D7!$"8&45678#9:"$#*;(00'$%8&A$(*!'"&;:R&BP'4$2,$(&
1'"#$"#K$"K-*K$"#$(3(!*$K2$%!)K*$1-(!#6S($*3'"*$K+7!#$3)3$(*K+RHS*#-."$#S%'**!$(:3%98&3:&T:
R& Q'(&%$#)!0*&),'-#$&<*#'"!)"&0$/)0&0$**'"*&0$)("$%&)"%&)2$"%2$"#*&#'&")#!'")0&0)+*8&*$$&?)%(!&?)*=)8&U"")5L)(!)&>)0!7V(2&)"%&<"$=$"&>!==8&;$<$)(=>$"#0*'"*#?$*2$3'0)&#'<$@*A()'.,*&"/*B%3&"'0&#'("&)*2&"/0.&=$0*'"*C0#("'&*0'".$*6DDE8&W"#$(")#!'")0&D6,$(&O$1-(!#6&@$/)0&)"%&G'0!16&G('1$$%!"/*&B>)00!""C&DDE&DF<&G-,0!*7!"/8&HI;IJ8&33:&TIXYZ:
T&G'0!16&D'"9$($"1$&'(/)"!*$%&,6&DDE&DF<:&>7$&)/$"%)&'9$&D'"9$($"1$&
0$/)01'"9$($"1$K:[&
D'"9$($"1$8&9'-(&0$/)0&)($)*&X&%)#)&
$.17)"/$8&*#)#$&($*3'"*!,!0!#68&1(!2!5")0&1''3$()#!'"&)"%$&)330!1),!0!#6&'9&!"#$(")#!'")0&0)+&X&+$($&)%%($**$%&,6&0$/)0&$.3$(#*&9('2&)#&0$)*#&#+'&=$6&)($)*&B%)#)&$.17)"/$&9('2$&16,$(&0)+&)"%&1(!2!")0&0)+&3$(*3$1#!4$8&1(!2!")0&1''3$()#!'"&9('2$&1(!2!")0&0)+&)"%&")#!'")05*$1-(!#6&0)+&3$(5*3$1#!4$8&)"%&*'&'"J8&+!#7$&!"#$"#&#'&!%$"#!96&/)3*&,$#+$$"$*$&)($)*&'9&0)+&)"%&1'2$&-3&+!#7&3('3'*)0*&'"&7'+&#'&!23('4$$&$.!*#!"/&0$/)0&9()2$+'(=:&>7$&)/$"%)&'9$&1'"9$(5
'(/K1'"9$($"1$HI;IK)/$"%):7#20:&Y& \P&]$"$()0&U**$2,06&^$*'0-#!'"&
;[;T8&)#&YZ8&\P&]UF&^8&;[#7&O$**:8&O-33:&P':&;Y8&\P&E'1:&UKTY_TU8&;T&E$1$2,$(&;`YI:
Z& >!==&$#&)0:8&!"#$%"&#'("&)*+,-$%*!".'/$"#0:_& O$$8&9'(&$.)230$8&E)"&]''%!"8&
aW"%!)&)"%&b$0/!-2&E$1(6&D7!"$*$&F?$*G$3'0#$%8&_&
1':-=KHII_KI[KI_K,$0/!-2S!"%!)S17!")S+)("!"/*N&c'7"&@$6%$"8&aQ()"1$&
F?$*G$3'0#$%+++:#7$($/!*#$(:1':-=KHIIZKI`K;HK
c'")#7)"&^!17)(%*8&c)2$*&^'**!#$(&)"%&^!17)(%&b$$*#'"8&aLW[&U0$(#&'"&D7!")d*&D6,$(*3)1$&O36&>7($)#d8&F'>$0 5"$**:#!2$*'"0!"$:1':-=K#'0K,-*!"$**K
Eneken Tikk, Ten Rules for Cyber Security
!"#$%&'()*%+,&-'%.&+,/"-0-1(.)
2'&!,0+34563768+,+84) 945:);<=)>?@8)A43B)3C)=$"+)945D896) ) <2%+)E-8);FG4:G9)H;"&+'"2&!-"20)
<'!I!"20)F'!J$"20)K-')&/+)K-'I+')
L$1-%02M!2B)9447N899) <(J+')<'!I+)<-"M+"&!-"B)O'&!,0+)3A893) O'&!,0+);P)-K)&/+)E-'&/)O&02"&!,)F'+2&(89A) O'&!,0+)P)-K)&/+)E-'&/)O&02"&!,)F'+2&(89:) Q++)?"+R+")F!RRB)!"#$%%&'(('(#)*+,'-.#./#"'&(/012#31.1#4'5*21.6/07);"&+'"2&!-"20)<(J+')Q+,$'!&()S+120)
2"#)@-0!,()@'-,++#!"1%)HF200!""T)<<U)
<V?)@$J0!%/!"1B)3696NB)WW8)3:XA4897) U!'+,&!M+)47.:D.?<)-K)&/+)?$'-W+2")
@2'0!2I+"&)2"#)-K)&/+)<-$",!0)-K)3:)
V,&-J+')9447)-")&/+)W'-&+,&!-")-K)!"#!G
M!#$20%)Y!&/)'+12'#)&-)&/+)W'-,+%%!"1)
-K)W+'%-"20)#2&2)2"#)-")&/+)K'++)I-M+G
S)359B)3A.99.9447)@8)66A9)X)66768)
S+Z['!Q+'M.S+Z['!Q+'M8#-\$'!])
<?S?^TA9447S66:DT+"T_F`S89D) Q++)F!RRB)!"#$%%&'(('(#)*+,'-.#./#"'&(/012#31.1#4'5*21.6/08)
9C) ?[)U2&2)@'-&+,&!-")U!'+,&!M+)47.:D.
?<8)O'&!,0+)37H9N895) a-')2")-M+'M!+Y)2"#)0+120)2%%+%%I+"&)
-K)&/+)S!&/$2"!2")!",!#+"&B)%++)F!RR)+&)
208B))!0.'&01.6/012#89+'&#!0-6%'0.(894) U!'+,&!M+)3663.75.?<)-K)&/+)?$'-W+2")
@2'0!2I+"&)2"#)-K)&/+)<-$",!0)-K)93)
=$0()3663),-",+'"!"1)&/+)W'-,+%%!"1)
-K)W+'%-"20)#2&2)2"#)&/+)W'-&+,&!-")
-K)W'!M2,()!")&/+)+0+,&'-"!,),-II$G
"!,2&!-"%)%+,&-')HU!'+,&!M+)-")W'!M2,()
2"#)+0+,&'-"!,),-II$"!,2&!-"%N8)
+$'-W28+$.S+Z['!Q+'M.S+Z['!Q+'M8#-\
$'!]<?S?^TA3663S6675T?ET_F`S8
36) ?[)?G<-II+',+)U!'+,&!M+B)O'&!,0+)97)
H3N839) ?%&-"!2")@$J0!,);"K-'I2&!-")O,&B)W2'28)
35H9N)C833) F/+)<-$",!0)-K)?$'-W+)<-"M+"&!-")
-")<(J+','!I+)H?FQ)957B)%!1"+#)-")
3A)E-M+IJ+')3669B)+"&'()!"&-)K-',+)
-")9)=$0()366:NB)2!I!"1)&-)K2,!0!&2&+)
!"&+'"2&!-"20),--W+'2&!-"B)#+&+,&!-"B)
!"M+%&!12&!-")2"#)W'-%+,$&!-")-K)
,(J+'),'!I+)2"#),200%)K-')+%&2J0!%/G
!"1)2),-II-")J2%!%)K-')%$J%&2"&!M+)
2"#)W'-,+#$'20)02Y)2"#)K-')b$'!%#!,G
&!-"B)!%)-W+")K-')%!1"2&$'+)J()&/+)
I+IJ+')%&2&+%)2"#)&/+)"-"GI+IJ+')
%&2&+%)Y/!,/)/2M+)W2'&!,!W2&+#)!")!&%)
+02J-'2&!-")2"#)K-')2,,+%%!-")J()-&/+')
"-"GI+IJ+')%&2&+%8)O%)-K)U+,+IJ+')
3696)&/+)&-&20)"$IJ+')-K)%!1"2&$'+%)
2,,+%%!-"%)Y2%)A6)HO0J2"!2B)O'I+"!2B)
Oc+'J2!b2"B)d-%"!2)2"#)_+'c+1-M!"2B)
d$012'!2B)<'-2&!2B)<(W'$%B)U+"I2'RB)
?%&-"!2B)a!"02"#B)a'2",+B)e+'I2"(B)
_$"12'(B);,+02"#B);&20(B)S2&M!2B)
S!&/$2"!2B)`-0#-M2B)`-"&+"+1'-B)
E+&/+'02"#%B)E-'Y2(B)@-'&$120B)
>-I2"!2B)Q+'J!2B)Q0-M2R!2B)Q0-M+"!2B)
QW2!"B)`2,+#-"!2B)[R'2!"+)2"#B)2%)
2)"-"GI+IJ+'B)&/+)["!&+#)Q&2&+%N8)
!"&.F'+2&(.<-II$".f$+P-$0+cP-$%8
2%W\EF]957g<S]?Ee83A) <-$",!0)-K)?$'-W+)<(J+')<'!I+)
<-"M+"&!-"B)O'&!,0+)383:) a-')2")-M+'M!+Y)-K),$''+"&)!"&+'"2G
&!-"20)0+120)2"#)W-0!,()!"%&'$I+"&%)
-"),(J+')%+,$'!&(B)%++)?"+R+")F!RRB)
:&1;'</&=(#>/&#!0.'&01.6/012#89+'&#)'-*&6.9?#@1<#10%#"/26-9#!0(.&*;'0.()HF200!""T)<<U)<V?)@$J0!%/!"1B)3696N8
Eneken Tikk, Ten Rules for Cyber Security